OpenBSD Journal

Apache exploit targets OpenBSD

Contributed by Dengue on from the apply-errata-folks dept.

Chris Roland writes :
"GOBBLES Security a non-profit security organization just released source code to exploit Apache on OpenBSD. Its interesting to read the source and see all the comments made by this group to theo. "

Patch your systems folks.

(Comments are closed)

  1. By Vincent Foley () on

    Reading from the comments, these guys seem highly immature.

    1. By Vincent Foley () on


      1. By earx () on

        what is the mailing secure-announce for ?
        no mail for this exploit !

        1. By Paul () on

          No mail for the exploit.

          No one-liner to fix the bug. (i.e. "pkg_add fix_my_damn_hole_before_it_is_exploited") -- part of making systems secure is making security easy. I run openbsd because I *don't want* to spend a lot of time thinking about security.

          No announcement on the front page of

 still claims "Five years without a remote hole in the default install!" Is there something I misunderstand about what "remote hole" means?

          I'm losing faith here.

          1. By Not Really Anonymous () on

            I wouldn't lose faith. Its not about the OpenBSD team making sure that your server is secure, its about you making sure that your server is secure. No matter what operating system you use (*I prefer OpenBSD), you still need to lock it down and use other technologies to insure security.

            The whole remote hole statement, I wouldn't get to bent on that, the fact is, the OpenBSD team has rocked, spending a lot of time and effort into this project.

          2. By earx () on

            apache is not in the default install
            but why they didn't inform us of the hole ?
            i didn"t read bugtraq and i wait for mail
            of the security-announce mailing !

            1. By Cabal () on

              Apache most definitely is in the default install.

              1. By Rudy () on

                Sure Apache IS in the default install, but is is NOT enabled! So the default install is safe!

          3. By mirabile () on #OpenBSD

            remote _root_ exploit.

            A server crash is no root exploit.
            A httpd exploit is no root exploit, but a wwwrun exploit.
            wwwrun != uid0

            1. By it is () on

              it is a remote root exploit

              1. By gwyllion () on

                You call this root?
                uid=32767(nobody) gid=32767(nobody) groups=32767(nobody)


                1. By anonymous () on

                  I don't know how it is on OpenBSD but at least on linux the main httpd process is running as root and only its children are run as nobody.

                  1. By gwyllion () on

                    The clildren are exploited. So the attacked doesn't gain remote root.

                    1. By Anonymous Coward () on

                      So even on OpenBSD apache is exploited, you don't get root unless you use some other ( local ) exploit ? How was (DuSong files) compromised then ?

                      1. By Anonymous Coward () on

                        Yes you only get a shell with nobody, I tried this exploit against my 3.0 with apache 1.3.19 box and it didn't work or drop to a shell. So I have yet to prove this exploit.

                        1. By Not Really Anonymous () on

                          I had the same problem executing the exploit on my boxes with the same version OpenBSD and Apache.

                          1. By Anonymous Coward () on

                            If the default offsets don't work for you try brute force.

                            1. By Anonymous Coward () on

                              Did do brute force.. Still no go!

                      2. By Someone () on

                        Good point. Dug Song claimed that was compromised thru backdoored EPIC, gaining root thru a screened su. Could it be that there are 0-day sploits in the kernel like the comments say ?
                        And why didnt report that Fragroute(r) and Dsniff was backdoored until he was confronted on Bugtraq ? The arrogance...

                        1. By Anonymous Coward () on

                          Irssi, NOT Epic!

                      3. By Anonymous Coward () on

                        How was (DuSong files) compromised then

                        why not read and find your answers? the compromise of had nothing to do with apache.

                  2. By Anonymous Coward () on

                    Yes, and the main apache process *does not listen to the outside world* except for a fraction of a second at the beginning of the apache lifecycle. It just makes the connection to port 80, then stops listening and spawns children to take over that task and watches over them. So the attacker would have to be incredibly lucky to nail apache at the exact fraction of a second when it's starting...

              2. By Anonymous Coward () on

                As commented elsewhere, Apache is NOT enabled by default.

          4. By pravus () on

            sounds like you never had faith to begin with...

            why is there no announcement on the front page? a better question would be: "why should there be?"

            really, if you are a server admin who doesn't frequent security bulletin sites, you aren't really an admin. and if you want to parade around as a simple "user" of the OS, that's fine. just don't expect people to care about your system being insecure.

            the software you run is your choice. if you don't agree with the vendor's support policies, move to a different platform. it's just that simple.

            and the remote hole statment holds true. i still can't understand why that statement causes so much confusion. take the OpenBSD install... select the DEFAULT options... what you get is the *gasp* DEFAULT INSTALL. and is apache enabled? *gasp* NO! *gasp*

            is it clear now?

    2. By RC () on

      If you hadn't noticed, they've admitted that it has been used to compromise servers on at least 3 occasions. being one of them. You've got to admit, even if you dislike the laws, these are the few that deserve to be put away for a couple years.

  2. By webmaster () on localhost

    [Sat Jun 22 16:23:47 2002] [notice] child pid 23400 exit signal Segmentation fault (11)
    [Sat Jun 22 16:23:50 2002] [notice] child pid 22283 exit signal Segmentation fault (11)
    [Sat Jun 22 16:23:54 2002] [notice] child pid 20940 exit signal Segmentation fault (11)
    [Sat Jun 22 16:23:57 2002] [notice] child pid 28129 exit signal Segmentation fault (11)
    [Sat Jun 22 16:24:00 2002] [notice] child pid 10595 exit signal Segmentation fault (11)
    [Sat Jun 22 16:24:03 2002] [notice] child pid 9959 exit signal Segmentation fault (11)
    [Sat Jun 22 16:24:06 2002] [notice] child pid 13345 exit signal Segmentation fault (11)

    1. By mak () on

      Those with snort might find this useful. >:)

      1. By Mike () on

        I ran the apache scalp.c code against 3 machines one patched and two unpatched and it didn't seem to "spawn a shell" against any of them.

        Can anyone else confirm that the apache scalp code at is functional?

        1. By mak () on

          Tested on OpenBSD 3.0 with apache 1.3.20

          1. By Anonymous Coward () on

            What is the ...

            "0day OpenBSD local kernel exploit"


            1. By Anonymous Coward () on


          2. By Bilou () on

            Hello,but how can I get the program "apache-scalp "?

        2. By Anonymous Coward () on

          apache-scalp.c assumes some 4 offsets to own 4 "default" flavours of OpenBSD, thus if you have Apache+PHP or anything nondefault - attackers need to rebuild your system to resolve your specific offset (or hit blindly like in example with many dying child processes)

  3. By Anonymous Coward () on

    This whole "root for low ports" is the most brain-dead idiotic "security" measure that has ever existed on Unix. If all users were allowed to bind to "privledged" ports, this would be a remote user compromise, not a remote root 'sploit. I've been saying this for years: Making processes such as bind, httpd, and other things which are essentially just serving information run at the highest privledge level is idiotic. Whenever I bring this up on the OpenBSD list I get flamed. However no one seems able to come up with a reason why that "privledged port" thing still exists. It made some sense back a long time ago but it no longer has any security purpose and it is the fundamental cause of most exploits these days.

    1. By Anonymous Coward () on

      Run Apache on 8080, and use pf to redirect. Voila .. root nolonger necessary.

    2. By Michael Anuzis () on


      The exploit is not remote root, it effects apache's children that either run as "nobody" or "www"

      p.s. Running it on port 8080 with pf redirection would make ~no difference in the result of the compromise.

      1. By Anonymous Coward () on

        well it would make a difference. if you ran apache as nobody or wwwrun on 8080.. it couldnt do anything bad.

        1. By Anonymous Coward () on

          It will still drop a shell prompt when exploited and have the prems of your httpd. The situation has not changed by running on port 8080

    3. By Anonymous Coward () on

      Oh, you mean like in Linux, where you can set a low-port-bind flag on a process *instead* of running it as root.

    4. By Anonymous Coward () on

      "Root for low ports" was never intended as a security measure. It was intended to enforce local policy so that your average moron user couldn't start telnetd even if he felt like it. It fits very well with the traditional Unix security model--it's just that the traditional Unix security model isn't very good in a hostile environment.

      BTW, the "fundamental cause of most exploits these days" are stupid programmers. If all software was a well written as Apache, Postfix, and BIND 9, we wouldn't need to consider changes to the traditional Unix security model.

    5. By Ben Johnson () on

      I concur!

      Ther *was* some logic in having root hold sway over the lower ports - an unix server that could launch an attack would by default have to be logged in a root or comprimised. This limited the amount of computers that could lauch an attack.

      Now that everybody has a Windows box, and a DIY Unix is easy - every computer can launch an attack.

      The compeling idea that you should only give a process the bare minimum resources to function should hold sway over the tradition of root for low ports. If it's too hard to masage Apache et al into not using root - then there should be another process that monitors them for 'appropriate' behaviour.Example: any spawn of Apache should be killed if it attempts to spawn a shell.

      But what do I know - I just buy the CDs and paste the stickers.

      1. By Michael Anuzis () on

  4. By Anonymous Coward () on

    I think Gobbles is Theo

    1. By Not Really Anonymous () on

      Split personality?

  5. By gnudutch () on

    Does anybody have the quick fix???

    1. By gwyllion () on

      The obvious place is

    2. By Anonymous Coward () on

      update to apache 2.0.39/1.3.26

    3. By pravus () on

      the fix for you is to dig out your DOS 6.2 diskettes and re-install.

  6. By BokLM () on

    Isn't it a remote holl in the default install ?
    Why do they keep this on the website !!
    If they consider that apache is not a part of the default install (it is installed but not running), that's stupid and most OS could say the same...

    OpenBSD is a good and secure OS, but I think that saying "no remote hole in the default install" is not true. I think it would be good to remove this from the website...

    1. By submicron () on

      Get over yourself. Apache comes with the distribution but is not installed and running by default for exactly this reason. OpenBSD is a very svelte default installation (part of the appeal incidentally) and moronic things like a webserver running on it straight out of the box just aren't done. So no, this is not an example of a remote exploit in the default install and no, the website's slogan should not be appended.

      1. By Bill Gates () on

        My MS-DOS is "Fifteen+ years without a remote hole in the default install." That's why it was the world's best-selling software in the past.

        Remember, "MS-DOS is simply the best secure OS in the world."

    2. By Anonymous Coward () on

      Few OSs can say they are secure from a remote
      exploit on a default install. VERY few.;; only one;;
      Stupid is having to go through and turn off a bunch of
      services before you feel safe.
      Smart is an OS that lets the admin decide what to run.
      Why is this so hard to understand?
      If the service is not on, the user is safe.

    3. By gwyllion () on

      Gobbles has released a newer version of there exploit

      1. By Anonymous Coward () on

        This Gobbles is a immature little jerk. Patch your crap like your suppose to.

        end of discussion

    4. By Not Really Anonymous () on

      Who really cares about that one statement?

      I don't know anyone who would only use a secure OS as their only means of making sure their information is secure.

      If you do care about that statement, why? Does the OS only depend on this statement?

      Also, I could understand if OpenBSD was a commercial product, because then they would be able to use that "statement" to market themselves, but they are not.

      Unlike Oracles claims that their database software is "unbreakable", why don't people go after that?

  7. By Anonymous Coward () on

    Just a quick note for those who are still in doubt if the exploit is real or not: exploit is real and it works!

    I happened to leave on a business trip for a week exactly on the same date as the exploit was released. I could not patch the apache running on our company's server until after 4 days later. Guess what? When I came back and looked over the logs I could see clearly that our server was broken into using that Gobbles exploit. No major harm was done, since www user is not that powerful on my server, but database that is normally accessed via web interface, was screwed up badly - I had to restore it from a week old backup.

    1. Patch your systems as quickly as possible;
    2. Backup! Backup! Backup!


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]